In the regulatory arena, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released proposed changes to the HIPAA Privacy Rule in late January 2021. The proposed regulations include several modifications to HIPAA requirements, including changes that enhance individuals’ access to their own health information and require revisions to privacy notices. Although the rules were announced under the prior Administration, and are subject to President Biden’s Regulatory Freeze Pending Review, many of these rules were previously raised by President Obama’s Administration and are likely to be adopted.
A key legislative development to note is an amendment to Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) that requires HHS to consider a covered entity or business associate’s use of “recognized security practices” when conducting an audit, assessing penalties, or seeking corrective action for violations. Recognized security practices may include practices consistent with standards promulgated by the National Institute of Standards and Technology (NIST) or approaches under the Cybersecurity Act of 2015.